内容简介:本文风哥教程参考Linux官方文档、Red Hat Enterprise Linux官方文档、Ansible Automation Platform官方文档、Docker官方文档、Kubernetes官方文档和Podman官方文档等内容,详细介绍了相关技术的配置和使用方法。
风哥提示:
本文档详细介绍NAT网络地址转换的配置方法,包括SNAT、DNAT、MASQUERADE等技术。
Part01-NAT基础概念
1.1 NAT类型说明
# 主要类型:
# 1. SNAT(Source NAT):源地址转换
# – 用于内网访问外网
# – 修改源IP地址
# 2. DNAT(Destination NAT):目标地址转换
# – 用于外网访问内网
# – 修改目标IP地址
# 3. MASQUERADE:动态SNAT
# – 适用于动态IP地址
# – 自动获取出口IP
# 4.更多视频教程www.fgedu.net.cn REDIRECT:端口重定向
# – 重定向到本机端口
# – 常用于代理服务
# 应用场景:
# 1. 内网共享上网
# 2. 服务器端口映射
# 3. 负载均衡
# 4. 网络隔离
Part02-SNAT配置
2.1 配置源地址转换
$ sudo sysctl -w net.ipv4.ip_forward=1
net.ipv4.ip_forward = 1
# 永久启用
$ echo “net.ipv4.ip_forward = 1” | sudo tee /etc/sysctl.d/99-ipforward.conf
# 查看网络接口
$ ip addr show
1: lo:
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
2: eth0:
link/ether 08:00:27:12:34:56 brd ff:ff:ff:ff:ff:ff
inet 192.168.1.1/24 brd 192.168.1.255 scope global noprefixroute eth0
3: eth1:
link/ether 08:00:27:ab:cd:ef brd ff:ff:ff:ff:ff:ff
inet 202.100.1.100/24 brd 202.100.1.255 scope global noprefixroute eth1
# 配置SNAT(固定IP)
$ sudo iptables -t nat -A POSTROUTING -s 192.168.1.0/24 -o eth1 -j SNAT –to-source 202.100.1.100
# 查看NAT规则
$ sudo iptables -t nat -L -n -v
Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 SNAT all — * eth1 192.168.1.0/24 0.0.0.0/0 to:202.100.1.100
# 配置MASQUERADE(动态IP)
$ sudo iptables -t nat -A POSTROUTING -s 192.168.1.0/24 -o eth1 -j MASQUERADE
# 查看规则
$ sudo iptables -t nat -L POSTROUTING -n -v
Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 SNAT all — * eth1 192.168.1.0/24 0.0.0.0/0 to:202.100.1.100
0 0 MASQUERADE all — * eth1 192.168.1.0/24 0.0.0.0/0
Part03-DNAT配置
3.1 配置端口映射
$ sudo iptables -t nat -A PREROUTING -d 202.100.1.100 -p tcp –dport 22 -j DNAT –to-destination 192.168.1.10:22
# 配置DNAT端口映射(HTTP)
$ sudo iptables -t nat -A PREROUTING -d 202.100.1.100 -p tcp –dport 80 -j DNAT –to-destination 192.168.1.20:80
# 配置DNAT端口映射(HTTPS)
$ sudo iptables -t nat -A PREROUTING -d 202.100.1.100 -p tcp –dport 443 -j DNAT –to-destination 192.168.1.20:443
# 配置端口范围映射
$ sudo iptables -t nat -A PREROUTING -d 202.100.1.100 -p tcp –dport 8000:9000 -j DNAT –to-destination 192.168.1.30:8000-9000
# 配置端口重定向(本机)
$ sudo iptables -t nat -A PREROUTING -p tcp –dport 80 -j REDIRECT –to-port 8080
# 查看DNAT规则
$ sudo iptables -t nat -L PREROUTING -n -v
Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 DNAT tcp — * * 0.0.0.0/0 202.100.1.100 tcp dpt:22 to:192.168.1.10:22
0 0 DNAT tcp — * * 0.0.0.0/0 202.100.1.100 tcp dpt:80 to:192.168.1.20:80
0 0 DNAT tcp — * * 0.0.0.0/0 202.100.1.100 tcp dpt:443 to:192.168.1.20:443
# 测试端口映射
$ curl -I http://202.100.1.100
HTTP/1.1 200 OK
Server: nginx/1.20.1
Date: Thu, 03 Apr 2026 17:30:00 GMT
Content-Type: text/html
Content-Length: 612
Last-Modified: Thu, 03 Apr 2026 17:00:00 GMT
Connection: keep-alive
ETag: “6604a000-264”
Accept-Ranges: bytes
Part04-使用firewalld配置NAT
4.1 firewalld NAT配置
$ sudo firewall-cmd –get-active-zones
public
interfaces: eth0 eth1
# 启用IP转发
$ sudo firewall-cmd –permanent –add-masquerade
success
# 配置端口转发
$ sudo firewall-cmd –permanent –add-forward-port=port=22:proto=tcp:toport=22:toaddr=192.168.1.10
success
$ sudo firewall-cmd –permanent –add-forward-por更多学习教程公众号风哥教程itpux_comt=port=80:proto=tcp:toport=80:toaddr=192.168.1.20
success
# 重新加载防火墙
$ sudo firewall-cmd –reload
success
# 查看端口转发规则
$ sudo firewall-cmd –list-all
public (active)
target: default
icmp-block-inversion: no
interfaces: eth0 eth1
sources:
services: cockpit dhcpv6-client ssh
ports:
protocols:
forward: yes
masquerade: yes
forward-ports:
port=22:proto=tcp:toport=22:toaddr=192.168.1.10
port=80:proto=tcp:toport=80:toaddr=192.168.1.20
source-ports:
icmp-blocks:
rich rules:
# 配置富规则
$ sudo firewall-cmd –permanent –add-rich-rule=’rule family=”ipv4″ source address=”192.168.1.0/24″ masquerade’
success
# 配置特定端口的NAT
$ sudo firewall-cmd –permanent –add-rich-rule=’rule family=”ipv4″ forward-port port=”443″ protocol=”tcp” to-port=”443″ to-addr=”192.168.1.20″‘
success
# 重新加载
$ sudo firewall-cmd –reload
success
Part05-NAT故障排查
5.1 NAT连接跟踪
$ sudo cat /proc/net/nf_conntrack | head -10
ipv4 2 tcp 6 431998 ESTABLISHED src=192.168.1.10 dst=8.8.8.8 sport=54321 dport=53 src=8.8.8.8 dst=202.100.1.100 sport=53 dport=54321 [ASSURED] mark=0 zone=0 use=2
# 查看连接跟踪统计
$ sudo cat /proc/sys/net/netfilter/nf_conntrack_count
15
# 查看连接跟踪最大值
$ sudo cat /proc/sys/net/netfilter/nf_conntrack_max
65536
# 使用conntrack工具
$ sudo dnf install -y conntrack-tools
# 查看连接跟踪列表
$ sudo conntrack -L
tcp 6 431998 ESTABLISHED src=192.168.1.10 dst=8.8.8.8 sport=54321 dport=53 src=8.8.8.8 dst=202.100.1.100 sport=53 dport=54321 [ASSURED] mark=0 use=1
# 查看特定源的连接
$ sudo conntrack -L -s 192.168.1.10
# 删除连接跟踪
$ sudo conntrack -D -s 192.168.1.10
# 查看NAT连接
$ sudo conntrack -L -p tcp –dport 80
# 监控连接跟踪事件
$ sudo conntrack -E
[UPDATE] tcp 6 120 SYN_SENT src=192.168.1.10 dst=8.8.8.8 sport=54322 dport=8学习交流加群风哥微信: itpux-com0 [UNREPLIED] src=8.8.8.8 dst=202.100.1.100 sport=80 dport=54322
1. 启用IP转发功能
2. 使用MASQUERADE处理动态IP
3. 合理配置端口映射规则
4. 监控连接跟踪表使用情况
5. 定期检查NAT规则有效性
本文由风哥教程整理发布,仅用于学习测试使用,转载注明出处:http://www.fgedu.net.cn/10327.html
